By Prince McLean
Published: 11:00 PM EST (08:00 PM PST)
Market research firm Gartner said this week that Apple's iPhone Firmware 2.0 update meets its criteria for 'appliance-level support status' for big businesses, but warned enterprises to approach expanded use of the handset slowly and with close examination.
Gartner's changing tune on the iPhone
Prior to Apple's iPhone 2.0 announcement in March of this year, Gartner analyst Ken Dulaney had characterized the iPhone as having questionable security policies that rendered it unfit for enterprise use. “We’re telling IT executives to not support [the iPhone]," Dulaney wrote in an initial Gartner report shortly before the launch of the original iPhone, "because Apple has no intentions of supporting [iPhone use in] the enterprise.”
In particular, Dulaney criticized the lack of any provision for "remote wipe," in the manner allowed by Microsoft Windows Mobile phones when linked with Exchange Server management tools. At the time however, Microsoft's own remote wipe feature was not able to clear Flash RAM cards installed in the majority of its phones. Because WinCE-based phones ship with very little usable RAM, removable SD Flash cards would contain the majority of most user's sensitive data, the very data corporations would want to wipe in the event of a lost phone or an employee termination. Software updates that provided adequate remote wipe weren't even available for many Windows Mobile phones until later in the fall.
Gartner hasn't noted this critical detail in its reports maintaining that the iPhone 1.x software was missing a feature that had been available for years on Windows Mobile. In addition, Apple's smartphone does not expose any Flash RAM card slot, making it more difficult to steal or lose data that has been downloaded to the phone without expert knowledge of how to forensically attach a USB serial connection to the iPhone and crack through its security to read data on the device. With a Windows Mobile phone, any remote wipe would have to occur before a thief ejected the SD memory card.
iPhone gets a RIM-style remote wipe
In March, following Apple's announcement of the iPhone 2.0 release addressing support for enterprise management tools, including remote wipe from Exchange, Gartner's Dulaney quickly issued "An Interim Update on the Apple iPhone," calling it "a technological advance rarely seen in the industry," and noting that Gartner
planned to endorse the handset under appliance-level support following the release of the enterprise improvements in iPhone 2.0.
Just days before the 2.0.1 release, Gartner finalized its approval of what it calls appliance-level support. "To achieve this level," Dulaney wrote, "the iPhone would need to support wireless e-mail and PIM for at least one popular enterprise e-mail system and include a minimum of two security policies: the ability to wipe the device of all data if lost or stolen, and a complex user password consisting of a coalpha, numeric and special characters in a pattern that cannot be easily guessed."
Gartner's testing found that the iPhone's remote wipe and strong password policy does work as advertised in a manner similar to Windows Mobile phones. The report explained, "As for setting these parameters, Microsoft uses a confusing approach, assuming that the end device will decide on what type of password will be enforced when the policy is received by the device. There is no feedback to the console that the policy has been enforced. Windows Mobile interprets the alphanumeric parameter as an instruction to force the user to employ a complex password. The iPhone replicates this function in the same manner, despite Microsoft's awkward implementation."
Gartner on iTunes software management
Gartner's approval of the iPhone in the enterprise is not without caveats. The report notes that Apple's iTunes software is required to sync the iPhone, and that it provides IT administrators with registry-level controls to deny users from performing specific tasks, such as downloading iPhone firmware updates prior to their being approved by the company's IT staff.
Gartner recommends companies make use these features, but notes that Apple could "improve the overall deployment scheme for iTunes to make it more
amenable to enterprise needs, such as making the options to turn off certain features an installation option versus requiring direct registry changes."
The report further recommended "that Apple enhance this area long term to optionally eliminate iTunes (that is, as a desktop application) as a necessary component to access business applications and manage the device, as Microsoft and Research In Motion (RIM) have done."
The iPhone Configuration Utility
Gartner was also critical of the iPhone Configuration Utility, used to set up configuration profiles on new phones. "In tests conducted by Gartner contacts, we have discovered that the product works via an unencrypted, distributed XML file which could be changed by the end user," Dulaney wrote. "Apple indicates that the profiles can be signed, warning the user of their legitimacy, but the most trusted management tools don't empower the user to make these types of security decisions."
In reality, signed iPhone configuration profiles (which include Exchange and other mail account settings, password policy, VPN and WiFi settings, controls on what apps can be used, and bundle in local credential certificates) are only marked as illegitimate if the certificate is not known to be trusted by a well know signing authority. If the profile were actually changed by the end user, it would not be marked as illegitimate, but would rather be discarded as a tampered profile.
The iPhone will simply not accept signed profiles that have been tampered with, so Gartner's somewhat sarcastic suggestion that Apple's tool 'empowers users to make security decisions,' based on speculative reports performed outside the company, is simply not accurate.
Third party software limits
Garter also criticized Apple for not allowing third parties to install background processes for "firewalling, data leak prevention, and other desirable functions that need multiprocessing, open application programming interfaces (APIs) or operating system (OS) shims to work." This fear reflects the current security situation on the Windows desktop, which Microsoft historically let third parties address with add-on antivirus, firewall, malware scanners, and other tools.
Microsoft is now working to provide all these services itself, in part because of stability and even security issues related to delegating away core operating system security tasks to third parties. This has become a subject of controversy in Windows Vista, as the multibillion dollar antivirus and security industry that grew up around Windows does not want to simply go away just because Microsoft would prefer to now handle its own security going forward.
Despite this, the Gartner report stats that, "A closed environment, where Apple guarantees all software that gets on the iPhone is safe (that is, in lockdown), might work conceptually, but in the past, enterprise attempts to work in this manner have encountered problems." It did not however make any mention of reputable third party mobile security software or compare the problems users and administrators face when trying to parcel their security needs out amongst various parties.
Obscurity on iPhone security
The report also noted that "Apple has indicated that there is an encryption API in the firmware, but we have not yet seen this feature exposed in an application to assess its viability or effect on the iPhone processor and, by inference, battery life."
All applications on the iPhone manage their own files in their own sandboxed arena, so there is no provision for dumping unencrypted files into an open file system that can be accessed by any app, leaving encryption an issue for third parties to address in their own apps. The only way to put unencrypted files on the iPhone is to include them as email attachments. No other smartphones have exposed a mechanism for encrypting emails or their attachments individually, and instead rely on password security for the device itself.
The report also stated, without offering further details, that the iPhone "does not deliver sufficient security for custom applications" and that "the iPhone could lower the overall security footprint. One way to mitigate concerns would be to limit functionality to browser access."
Other iPhone problems and issues
Among the other issues Gartner suggests for IT managers to consider in evaluating the use of the iPhone in the enterprise is the unit's ease of use in accessing data, particularly from the web. This is particularly a problem when roaming internationally, the report indicated. It recommends a "flat-rate International plan" for travelers, but does not note that data roaming services can be turned off as desired.
Gartner also indicates battery life may be an issue, as the new 2.0 software makes it difficult to use the iPhone throughout an entire day. Gartner suggest the problems may lie with Apple's implementation of ActiveSync or WiFi, and that Microsoft's own implementations of push messaging had similar problems, as "protocols such as SSL versus the more optimized UDP were in use, and the signaling methods were inefficient."
The report also cited the iPhone's inability to edit email attachments, the lack of copy and paste system-wide, and the lack of any mechanism to dial phone numbers within a calendar entry, as well as an all day calendar event issue that "may be a problem in Outlook."
Another iPhone issue Gartner blamed on Microsoft's software was the lack of sync between reply or forward flags on email items sent from the iPhone and their display on the desktop email client. "This is a problem with Exchange ActiveSync, and Apple must await improvements from Microsoft to correct this feature. BlackBerry, which uses an alternative method to access Exchange, can support these options."
The iPhone's use of a touch sensitive screen is noted as having trade-offs in common with all full touchscreen devices. The report also highlights the iPhone's relative weakness in providing support for usage profiles that would put the phone into modes geared for specific uses or environments, such as in a meeting.
Pass without the word
Gartner also worries that Apple's password screen might not allow users enough access without entering their password. "The iPhone does permit emergency calls when the password screen is displayed, but there is no access to the contact manager or other advanced telephony features," Dulaney wrote.
"RIM and Microsoft manufacturers provided similar limited telephony operation prior to password entry, but have been forced to greatly expand the telephony functions that do not require password input. We believe Apple must follow a similar path."
Enterprise suitability compared to other smartphones
Dulaney concluded, "Apple has delivered an iPhone that is acceptable for business use at the appliance level. Most prospective iPhone users will judge the device based on consumer appeal. The AppStore applications and the iPhone's excellent browser are supplemented with an e-mail client, which provides acceptable business capability with excellence in some areas."
Gartner now lists the iPhone among BlackBerry and Windows Mobile as devices that meet its required security policies, a definition that excludes Nokia's E class phones targeted at the enterprise. "Despite the popularity of this class of devices," Dulaney wrote, "Nokia has not yet been able to deliver the required two security policies that have been met by BlackBerry, Windows Mobile and, now, the iPhone."
